Risk Management Reports

January, 1998
Volume 25, No. 1

Our 25th Year
1998 is the 25th year of Risk Management Reports. Do I celebrate at the beginning of this year, or wait until December 1998? Given my age and the precedent of the marking of the millennium, I'll start my musings, recollections and my general surprise that I still have readers after a quarter century.

In the fall of 1973, I suggested a new publication to Rance Crain, then the editor of the fledgling journal Business Insurance, for which I had written several book reviews under the pseudonym "John Street." He agreed to become the publisher and we completed the first issue in January 1974. RMR promised "in-depth analyses of risk and insurance management subjects for the practical, every-day guidance of risk managers, insurance managers, and financial officers of corporations, financial institutions, and educational and governmental bodies." Our goal was to try and "bridge the gap between the theoretical and the practical." RMR began as a 20-40 page monograph on a single risk management subject, preceded by the Editor's "Current Comment," my personal perspective on events, people and articles of interest.

In 1977, my consulting firm, Risk Planning Group, took over the publishing responsibilities from Crain Communications, while I continued as Editor, with no change in its focus. 

Through the Seventies RMR covered product safety, annual reports, EDP security, risk retention levels, workers' compensation, social responsibility, the hold harmless clause, cost allocations, investment income, emergency planning, and insurance bidding and specifications, all highly practical. In 1975 we started an annual review and list of captive insurance companies that eventually, because of size, metamorphasized into the monthly Captive Insurance Company Reports (1977) and the annual Captive Insurance Company Directory (1982). Both continue to be edited by Hugh Rosenbaum and published by Tillinghast-Towers Perrin.

In the Eighties, I deliberately moved farther afield with the monographs, trying to stretch the thinking of subscribers. Issues included information systems surveys, risk analysis in public policy, managing uncertainty, the confluence of banking and insurance, European and Asian views of risk management, crisis management, political risks, multi-line aggregate programs, risk communication, alternative dispute resolution, and global risk management strategies. 

Two issues were popular, based on requests for copies. "Managing Service Providers," by Christopher Duncan (now risk manager for Frito-Lay, in Dallas), was a guide to dealing with brokers, consultants, engineers, lawyers and others who serve the risk management function (No. 4, 1989). "The Risk Management Audit," which I wrote, provided a detailed worksheet of the four elements, fifteen "Guiding Principles," thirty-eight "strategies, and numerous practical "tactics" for an effective risk management program (No. 2, 1988). 

In August 1993 I retired from Tillinghast-Towers Perrin, the successor firm to Risk Planning Group, and, finding no ready takers for the task of writing and editing RMR, I decided to continue it, but in a revised format. In January 1994 Risk Management Reports became a monthly six page publication, my "personal observations on the fascinating and evolving world of risk management." It echoed my belief in a more holistic, integrated and strategic form of the discipline, a new approach to living with the uncertainties of modern living. I challenged the prevailing idea that risk involves only harm, arguing that reward is an equally important element in any diagnosis.
As we start the 25th year, I find my thinking has evolved as radically as the discipline. The twin faces of risk are now accepted. Risk is a strategic challenge, and its management requires balance, not just elimination. While we should address all risks strategically, we should take advantage of different tactical solutions, such as derivatives, swaps, hedges, options, insurance, credit, claims management, and public regulations. We are now far more sophisticated in our analyses of risk.

My continued goal is to listen and speak to other risk professionals, be they members of the Society for Risk Analysis (public policy), the Global Association of Risk Professionals (financial risk), or the Risk & Insurance Management Society and its numerous counterparts worldwide (operational risk). We are all part of the same dynamic movement.

Given my advantages of retirement and the perspective of forty years in consulting, I will try to stretch my readers' minds beyond the constraints of "business" reading. As Roger Rosenblatt put it in "Ah, Cyberspace!," in Ideas, Vol. 5, No. 1: "If we only learn what we believe we need to know, how will we discover those things we do not know that we need to know, or that we forget we need to know?"

. . . we have been outflanked by our real enemies - the forces that regard humane learning as a irrelevant fossil in the brave new world of technology, the panzer divisions which bypass history, ethics, and aesthetic values in their zeal for immediate solutions to social and economic problems, the shock troops of vulgarity, the serried ranks of those concerned only with vocational training and career advancement.

W. Robert Connor, "A Commonwealth of Wit and Learning,"
Annual Report of the National Humanities Center, 1996-1997

Issues for 1998
What are the risk management issues for 1998? Here are my personal bets in this annual ritual.

Last year my "issues" were political changes (particularly Hong Kong and Great Britain), the advent of geriatric politics, the continued focus on environmental liabilities, a market correction (both stock and insurance), the need to focus on business continuity, and the slow change toward a "chief risk officer" administering the risk management function. Looking back, I can't fault my selections, although neither of the forecast political changes have caused major ripples. I've again organized my views within the four categories of risk: operational, financial-market, legal liability, and regulatory-political.
Operational Risks 

Information technology leads the list. Organizations are growing more dependent on data and systems, from intranets to the Internet. Is a systemic failure possible? More executives carry key data on their expensive personal computers, raising problems of hardware and software security. CFO Magazine (October 1997) reports that more than half of 563 companies responding to a survey sustained laptop thefts in the past twelve months. Other problems are active wiretaps, telecom fraud, viruses, insider abuse, system penetration, theft of proprietary information and simple sabotage. The Year 2000 problem (Y2K) surfaces daily in the press and on the Internet. No one knows the full extent of this, but the costs to correct will be enormous. Failure to act could mean chaos. One observer suggests retreating on January 1, 2000 to a warm climate, with plenty of cash and supplies, until we see what actually happens! If that isn't enough worry, consider the forecast of the Leonid meteor shower that could possibly affect global satellite communications on November 17, 1998 and November 18, 1999 (see story below). Dealing with data, their transmission and their storage, is already a major concern for systems managers. Understanding the degree of dependency and structuring contingency plans are the responsibilities of risk managers.
Financial-Market Risks 

Market instability will certainly continue to be a major issue for financial officers and risk managers through 1998. While the ripples of the financial crises in East Asia (Malaysia, Indonesia, Thailand, South Korea and Japan) are the result of different problems, their combined effect could be a tsunami. In Europe, the introduction of the euro is scheduled for January 1, 1999. Will it happen? Who will opt in and out? What will be the cost to those doing business there? If euros exist side by side with existing currencies for six months, as planned, the costs and confusion may be geometric. Consider the insurance market, since many of my readers are closely connected to it. Classic disintermediation by buyers is eroding its marketing structure. Use of capital markets, in its infancy, will undoubtedly expand as new investors are found and as buyers become conversant with techniques. Banks are surging into the openings created by acquiescent regulators. Customers are beginning to see the double advantages of greater convenience and lower costs, just as they have found in Europe (bancassurance, etc.). Innovative underwriters offer their wares on the Internet while traditional insurers and threatened state regulators try to scuttle the movement or attach controls. It's similar to trying to put a suit on an octopus. I also hear continuing concerns voiced about the ability of the non-life insurance industry to survive a major catastrophe. Swiss Re concluded that "the reinsurance covers (against catastrophes) in most markets are insufficient" (Sigma, No. 7, 1997). The authors went on: "The occurrence of such a loss (a major catastrophe, ranging from a $50-$60 billion windstorm or earthquake in the US, to a $2 - $10 billion windstorm in Europe) would mean that the insured losses to be borne by the insurers would be so great that their equity bases would come under considerable strain." If a major catastrophe occurs in 1998, the fallout could be severe.

Legal Liability Risks

I don't see any startling new issues arising in 1998, just more of the disturbing same. The United States still leads the world in legal irrationality: denial of personal and corporate responsibility, class action suits out of control, outrageous punitive damages, and the use of the courts to further purported social ends. The "entitlement society" continues unabated. As the social contract that once existed between employer and employee disintegrates, new reasons to sue are discovered daily (see the Donald Westlake quote below for an extreme but common view of the situation!). Employment Practices Liability continues to be a key issue for US risk managers, as does environmental liability, which I earlier labeled as the "risk management issue of the decade." The conclusions of the Kyoto Conference in December 1997 focus continued high publicity on "global warming." 

While serious observers disagree about the causes and possible future effects, there is no doubt that growing public demand for some action will result in more stringent regulations and controls - and legal liabilities for failure to adhere to them.

Regulatory-Political Risks

The Middle East replaces Hong Kong and the Far East as the focus of concern for 1998. The hard-line fundamentalism of some of the Islamic countries seems to be more muted as practical politicians emerge. It remains, however, a powder keg. Elsewhere, in East Asia, India, Russia and South and Central America, economic worries are taking more time and headlines. I suspect that the global environmental "problem" and corporate "downsizing" in the US will mean more, rather than less, regulation, despite the desires of a Republican-controlled Congress. The November Congressional elections in 1998 could see a shift back to the Democrats and that could mean a more active government in the last two years of the Clinton Administration.

Three general issues bother me. First is "millennium fever." The arrival of a year with three zeros will have an enormous psychological effect on people, much of it unpredictable. Records from the year 1000 report examples of mass hysteria and belief that the world was coming to an end. Are we any more rational today? The explosion of "FUD" (fear, uncertainty and doubt) on the Internet about the Y2K problem is evidence that we may attach far more to those four numerals than they deserve. Don't be surprised to see more FUD in the next two years!

Crisis management is the second. Whatever the term - crisis management, emergency planning, contingency planning, business recovery planning - a major role for any risk manager should be to design and implement a plan that can help an organization rebound from any untoward event, from an earthquake or product contamination to a misplaced sign that aggravates a customer. We're learning two things about crisis management. Reputation is the most important asset that we have, and crises can no longer be controlled in the manner once thought possible. Acknowledging reputation as the critical asset requires a different response following a crisis event. Consider the owner's positive and humane response following the Malden Mills fire, in Lowell, Massachusetts, three years ago. Stonewalling behind a legion of lawyers compounds a crisis. Worrying about legal liability and admissions of "guilt" are secondary to reassuring stakeholders about the ability of the organization to survive. The old "command and control" approaches to crisis management are ineffective. Information moves too fast. The new approach requires a flexible plan and team, working with various segments of the organization's "community" to rebound and recover. Here's an opportunity for the organizational risk manager in 1998. I'll be writing more on this issue in later RMRs this year.

Finally, a continuing issue from 1997 is the growing movement toward appointing a Chief Risk Officer, an individual reporting to the CEO and the Board, not the Treasurer, Financial Officer, General Counsel or Secretary. It acknowledges that risk management is more risk assessment and analysis, more building risk awareness within operating units, and more viewing risks strategically, than it is financing risks. Royal Bank Financial Group, in Toronto, and Fidelity Investments, in Boston, already have CROs. Fidelity's James Lam won the "Risk Manager of the Year" award from the Global Association of Risk Professionals. Other organizations will study this idea in 1998, to determine if the heralded benefits are as advertised, and if the consolidation and coordination of a risk program can avoid the turf warfare that almost inevitably breaks out. There is a potential key role here for today's "risk managers," be they financial, public policy or insurance. The skills of diplomacy will be critical.

Lee Puschaver and Robert Eccles, of Price Waterhouse, recognized this in a perceptive article entitled "In Pursuit of the Upside: The New Opportunity in Risk Management," published by Price Waterhouse in 1997: " . . . we look at both risk assessment - understanding the potential upside and downside of actions - and the management of risk to raise the possibility of success, reduce the probability of failure, and decrease the uncertainty of overall financial performance." They, too, see the emergence of the Chief Risk Officer. They argue that "successful, long-term risk management" involves "managing risk on the upside - an offensive function, managing risk on the downside - a defensive function, and managing uncertainty." The CRO focus is to coordinate three functional emphases: compliance and prevention, operating performance, and strategic initiatives, or, as they call it, the "Business Risk Continuum." An organization needs an integrated approach, a common language, and "periodic assessments of the total risk profile of the entire company." It also requires asking each business or functional unit to take responsibility for its own risks, their assessment, and their control, within overall corporate guidance. That guidance comes from the CRO who is responsible for business, operational, market, credit, and organizational risks, supported by a "forum" of senior operating and staff executives.

As usual, 1998's risk issues and the challenge of new forms of responses create an opportunity for the new risk manager.

What's Your Opinion?

These are all publicly held corporations, and it is the stockholders' drive for return on investment that pushes every one of them. Not the product, not the expertise, certainly not the reputation of the company. The stockholders care about nothing but return on investment, and that leads to supporting executives who are formed in their image, men (and women, too, lately) who run companies they care nothing about, lead work forces whose human reality never enters their minds, make decisions not on the basis of what's good for the company or for the staff or the product or (hah!) the customer, or even the greater good of the society, but only on the basis of stockholders' return on investment.

The lament of Burke Devore, the lead character in Donald Westlake's The Ax, The Mysterious Press, New York 1997

(I highly recommend this explosive and challenging novel to my risk management readers - one of the best of 1997 - Ed.)

Optimist vs. Pessimist
One of my recurring complaints about the insurance underwriting fraternity is that it usually sees the glass as half empty rather than half full. It finds a way to deny coverage if possible, rather than seeking opportunities to provide cover. Last year a prominent corporate risk manager developed an innovative longer-term financing plan, incorporating a substantial retention, and offered it to a leading global insurer. He sent me a series of quotes from the initial response letter:
". . . we could not support . . . .

. . . the coverage is defined in such a way as to almost invite (sic) the insured to dismantle his own control system since it is to be replaced by insurance . . .

. . .we at least would not agree . . .

. . . one can sensibly argue that the insurer cannot be called upon to . . .

. . .not acceptable . . .

. . . the insurer can hardly be expected . . .

. . .we would most assuredly not wish to offer . . .

. . .we are seeking to exclude . . .

. . .there are various further exclusions we would look for . . .

. . .yours sincerely . . .

I admit that all of this is egregiously taken out of context, but it is so familiar to those dealing with Neanderthals that it becomes humorous. No wonder that organizations are turning to the capital markets and to their own resources for risk financing: at least they find a more "can we do it?" attitude there.

Postscript: the risk manager was eventually able to persuade this insurance organization to subscribe to his proposal.

You've got to try everything once, except those things you don't like, or that involve a lot of effort and getting up early.

Tibor Fischer, The Thought Gang, Scribner, New York, 1994 

My friend Wulf Walter, at Bavarian Reinsurance Company, in Munich, sent me its latest publication, "The Leonid Meteor Shower - a Risk for Space Operations." I immediately thought, "what on earth (or, I should say, in heaven) does a meteor shower have to do with today's risks?" It seems that the comet 55P/Tempel-Tuttle includes a trail of particles called the Leonid meteor shower that passes the Earth's orbit once every 33.25 years. When it comes closest, as in 1833, the shower is spectacularly visible. This shower is scheduled to pass close to the Earth's orbit on November 17, 1998 and November 18, 1999. The risk lies in the possibility that some of these high speed particles might collide with the artificial satellites on which much of our global communications and navigation depend. We have some 200 satellites in geostationary orbit, most insured and all essential to information flow. While the risk, as calculated by Bavarian Re and its advisors, is between a few tenths of a percent to 1%, it argues that, with 200 satellites, it is probable that at least one will be hit, with unknown consequences. Beyond the fact that this is an exceptional document, both graphical and intellectual, it raises again the question of our dependence on satellites for navigation and communications. Also, because of its name - Tempel-Tuttle - it reminded me of a paragraph from Robertson Davies' novel, Tempest-Tost: "You like the mind to be a neat machine, equipped to work efficiently, if narrowly, with no extra bits or useless parts. I like the mind to be a dustbin of scraps of brilliant fabric, old gems, worthless but fascinating curiosities, tinsel, quaint bits of carving, and a reasonable amount of healthy dirt. Shake the machine and it goes out of order; shake the dustbin and it adjusts itself beautifully to its new position."

My thanks to Bavarian Re for a scrap of brilliant fabric that caused me to reflect.

What I learned most of all from the perspective of a sabbatical is how quickly the media zips through a spin cycle, inflating almost any event into equally epic proportions, wringing every last drop out of it, then dropping it in the memory hole as soon as a better (i.e., more salacious) one comes along. When nothing's happening, desperate prognosticators, print and broadcasters alike, will do desperate things. . .

Frank Rich, "What, Me Worry?." The New York Times,
November 4, 1997

© Copyright , Seawrack Press, Inc. and H. Felix Kloman, 1998 Contact: Felix Kloman, Publisher

Copyright 1998, by H. Felix Kloman and Seawrack Press, Inc.